CVE-2025-60349 is a vulnerability identified in Prevx version 3.0.5.220, specifically targeting the pxscan.sys kernel-mode driver. The flaw allows attackers to send a crafted IOCTL (Input Output Control) code 0x22E044 to the driver, which triggers the termination of any processes registered under the Windows registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pxscan\Files. This behavior leads to a denial of service (DoS) condition by forcibly stopping critical processes, potentially including security or system services managed by Prevx. The vulnerability does not require any privileges or user interaction, making it remotely exploitable over the network if the driver interface is exposed. The CVSS v3.1 base score of 7.5 reflects a high severity due to the ease of exploitation (attack vector: network, attack complexity: low, privileges required: none, user interaction: none) and the impact on availability (complete denial of service). The vulnerability is categorized under CWE-400 (Uncontrolled Resource Consumption), indicating that the attack exploits resource management flaws to disrupt service. No patches or mitigations have been officially published yet, and no known exploits are reported in the wild as of the publication date. However, the potential impact on endpoint security and system stability is significant, especially in environments where Prevx is deployed for malware protection and system monitoring.

For European organizations, the primary impact of CVE-2025-60349 is operational disruption due to denial of service. Since Prevx is an endpoint security product, termination of its processes could disable malware scanning, real-time protection, and other security functions, increasing the risk of subsequent attacks or infections. Critical sectors such as finance, healthcare, energy, and government could experience service outages or degraded security posture, potentially leading to regulatory compliance issues under GDPR and other frameworks. The lack of confidentiality or integrity impact limits data breach risks directly from this vulnerability, but the availability impact could cascade into broader security incidents. Organizations with remote or distributed workforces relying on Prevx-protected endpoints may face increased exposure if attackers exploit this vulnerability to disable security controls. The absence of known exploits currently provides a window for proactive mitigation, but the low complexity and no authentication required make it likely that attackers will develop exploits rapidly.

1. Immediately restrict access to the pxscan.sys driver interface by implementing strict access control lists (ACLs) on device objects to prevent unauthorized IOCTL calls. 2. Monitor system and driver logs for unusual IOCTL code 0x22E044 activity or unexpected process terminations related to Prevx services. 3. Isolate endpoints running Prevx from untrusted networks or segment them to limit exposure to remote exploitation. 4. If possible, disable or unload the pxscan.sys driver temporarily on non-critical systems until a patch is available. 5. Engage with Prevx vendor support for any available patches, updates, or workarounds and apply them promptly once released. 6. Implement endpoint detection and response (EDR) solutions to detect anomalous process terminations and potential exploitation attempts. 7. Educate IT and security teams about this vulnerability to ensure rapid incident response if exploitation is detected. 8. Review and harden registry permissions on HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pxscan\Files to prevent unauthorized modifications.